NAT design problem

NAT design problem

Post by Vincent C. Jon » Wed, 09 Aug 2000 04:00:00



Have you considered putting the "loopback" at the outside router? That
way, the PIX stays simple and there is no way for one user to clobber
another. It does make screening for spoofing more difficult, so that may
take some adjustment (normally, the routers and PIX would be configured
to reject any inbound packets with their outbound address as source).

Good luck and have fun!

Vincent C Jones



>I have a NAT/PAT design problem that's driving me nuts.

>Diagram is straightforward, and looks like this ("I" means connected):

>Internet
>I
>router
>I
>PIX
>I
>access router
>I
>many customer nets using 10. /8 net address space

>Let's say that there are two private address space customer nets on the
>inside. Each of them has one or two hosts, which should be visible from
>Internet. That's no problem, static NAT is used (conduit at PIX). All other
>hosts access Internet via PIX's overloaded address.

>Now, I want to make those customer nets invisible to each other (access-list
>at access router should do this just fine).

>So any host from first private net who wants to talk to publicly accessible
>host on second private net MUST USE that host's Internet wide IP (which is
>available via DNS, and is hard coded into the PIX).

>The problem goes down to this question: Can PIX receive packet with source
>addr. originating from  inside and  destination addr. belonging to one of
>it's conduit statements (legal internet address), and therefore return it
>back to the same interface translated in THIS way - source=PIX's overloaded
>address, dest=private address matching that legal Internet address?

>Is it possible to do something like that?

>Again, this is one design alternative, and I would appreciate comments.

>Thanks folks!

>Misa

--
Dr. Vincent C. Jones, PE              Expert advice and a helping hand
Computer Network Consultant           for those who want to manage and
Networking Unlimited, Inc.            control their networking destiny
14 Dogwood Lane, Tenafly, NJ 07670
http://www.networkingunlimited.com

 
 
 

NAT design problem

Post by S. Tony Mesia » Wed, 09 Aug 2000 04:00:00


It would seem like you might be able to, but im not to sure as too why you
want to do it this way, are you trying to filter trafic between the two nats
by using the external rules of the pix firewall?

Is your stuff really like this:

****Pix*****
*****I******
Access Router
**I*****I****
Cust***Cust**
Net ****net***
*1******2****
?
 wouldn't you keep interal traffic internal and do filtering at the access
router, or is there something that just totaly requires you use PIX?


Quote:> I have a NAT/PAT design problem that's driving me nuts.

> Diagram is straightforward, and looks like this ("I" means connected):

> Internet
> I
> router
> I
> PIX
> I
> access router
> I
> many customer nets using 10. /8 net address space

> Let's say that there are two private address space customer nets on the
> inside. Each of them has one or two hosts, which should be visible from
> Internet. That's no problem, static NAT is used (conduit at PIX). All
other
> hosts access Internet via PIX's overloaded address.

> Now, I want to make those customer nets invisible to each other
(access-list
> at access router should do this just fine).

> So any host from first private net who wants to talk to publicly
accessible
> host on second private net MUST USE that host's Internet wide IP (which is
> available via DNS, and is hard coded into the PIX).

> The problem goes down to this question: Can PIX receive packet with source
> addr. originating from  inside and  destination addr. belonging to one of
> it's conduit statements (legal internet address), and therefore return it
> back to the same interface translated in THIS way - source=PIX's
overloaded
> address, dest=private address matching that legal Internet address?

> Is it possible to do something like that?

> Again, this is one design alternative, and I would appreciate comments.

> Thanks folks!

> Misa


 
 
 

NAT design problem

Post by Milos Kosti » Thu, 10 Aug 2000 04:00:00


I have a NAT/PAT design problem that's driving me nuts.

Diagram is straightforward, and looks like this ("I" means connected):

Internet
I
router
I
PIX
I
access router
I
many customer nets using 10. /8 net address space

Let's say that there are two private address space customer nets on the
inside. Each of them has one or two hosts, which should be visible from
Internet. That's no problem, static NAT is used (conduit at PIX). All other
hosts access Internet via PIX's overloaded address.

Now, I want to make those customer nets invisible to each other (access-list
at access router should do this just fine).

So any host from first private net who wants to talk to publicly accessible
host on second private net MUST USE that host's Internet wide IP (which is
available via DNS, and is hard coded into the PIX).

The problem goes down to this question: Can PIX receive packet with source
addr. originating from  inside and  destination addr. belonging to one of
it's conduit statements (legal internet address), and therefore return it
back to the same interface translated in THIS way - source=PIX's overloaded
address, dest=private address matching that legal Internet address?

Is it possible to do something like that?

Again, this is one design alternative, and I would appreciate comments.

Thanks folks!

Misa

 
 
 

NAT design problem

Post by Milos Kosti » Thu, 10 Aug 2000 04:00:00


Yes, I want to apply external rules to internal customers when they access
other internal customer's net. Essentially, customers have nothing in
common, and this traffic should be treated the same way the Internet to
customer traffic is. Which implies use of external rules. Now I am aware
that I can use 2 sets of rules, one for true Internet-customer traffic, and
one for customer-customer traffic, but isn't that hard to maintain (and
error prone too)? Imagine 100 customer nets...

To answer the second question, your drawing is correct, but nothing exists
right now, since I am still designing it.



Quote:> It would seem like you might be able to, but im not to sure as too why you
> want to do it this way, are you trying to filter trafic between the two
nats
> by using the external rules of the pix firewall?

> Is your stuff really like this:

> ****Pix*****
> *****I******
> Access Router
> **I*****I****
> Cust***Cust**
> Net ****net***
> *1******2****
> ?
>  wouldn't you keep interal traffic internal and do filtering at the access
> router, or is there something that just totaly requires you use PIX?